hacktricks/.github/workflows/build_master.yml

name: Build Master

on:
  push:
    branches:
      - master
    paths-ignore:
      - 'scripts/**'
      - '.gitignore'
      - '.github/**'
      - 'book/**'
  workflow_dispatch:

concurrency: build_master

permissions:
  packages: write
  id-token: write
  contents: write

jobs:
  run-translation:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/hacktricks-wiki/hacktricks-cloud/translator-image:latest
    environment: prod

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
      
      # Build the mdBook
      - name: Build mdBook
        run: MDBOOK_BOOK__LANGUAGE=en mdbook build || (echo "Error logs" && cat hacktricks-preprocessor-error.log && echo "" && echo "" && echo "Debug logs" && (cat hacktricks-preprocessor.log | tail -n 20) && exit 1)
      
      - name: Update searchindex in repo (purge history, keep current on HEAD)
        shell: bash
        run: |
          set -euo pipefail

          ls -la
          ls -la book

          git config --global --add safe.directory /__w/hacktricks/hacktricks
          git config --global user.email "build@example.com"
          git config --global user.name "Build master"
          git config pull.rebase false

          # Ensure we're on the target branch and up to date
          git fetch origin
          git reset --hard origin/master

          # Choose the file to keep at HEAD:
          # 1) Prefer freshly built version from book/
          # 2) Fallback to the file currently at HEAD (if it exists)
          HAS_FILE=0
          if [ -f "book/searchindex.js" ]; then
            cp "book/searchindex.js" /tmp/sidx.js
            HAS_FILE=1
          elif git cat-file -e "HEAD:searchindex.js" 2>/dev/null; then
            git show "HEAD:searchindex.js" > /tmp/sidx.js
            HAS_FILE=1
          fi

          # Skip if there's nothing to purge AND nothing to keep
          if [ "$HAS_FILE" = "1" ] || git rev-list -n 1 HEAD -- "searchindex.js" >/dev/null 2>&1; then
            # Fail early if working tree is dirty (avoid confusing rewrites)
            git diff --quiet || { echo "Working tree has uncommitted changes; aborting purge." >&2; exit 1; }

            # Install git-filter-repo and ensure it's on PATH
            python -m pip install --quiet --user git-filter-repo
            export PATH="$HOME/.local/bin:$PATH"

            # Rewrite ONLY the current branch, dropping all historical blobs of searchindex.js
            git filter-repo --force --path "searchindex.js" --invert-paths --refs "$(git symbolic-ref -q HEAD)"

            # Re-add the current version on top of rewritten history (keep it in HEAD)
            if [ "$HAS_FILE" = "1" ]; then
              mv /tmp/sidx.js "searchindex.js"
              git add "searchindex.js"
              git commit -m "Update searchindex (purged history; keep current)"
            else
              echo "No current searchindex.js to re-add after purge."
            fi

            # Safer force push (only updates if remote hasn't advanced)
            git push --force-with-lease
          else
            echo "Nothing to purge; skipping."
          fi


      # Login in AWs
      - name: Configure AWS credentials using OIDC
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
      
      # Sync the build to S3
      - name: Sync to S3
        run: aws s3 sync ./book s3://hacktricks-wiki/en --delete